Gaming security by obscurity

Share/Save/Bookmark

Pavlovic, Dusko (2011) Gaming security by obscurity. In: The New Security Paradigms Workshop (NSPW) , September 12-15, 2011, Marin County, CA, USA.

[img]
Preview
PDF
547Kb
Abstract:Shannon [40] sought security against the attacker with unlimited
computational powers: if an information source conveys
some information, then Shannon’s attacker will surely
extract that information. Diffie and Hellman [13] refined
Shannon’s attacker model by taking into account the fact
that the real attackers are computationally limited. This
idea became one of the greatest new paradigms in computer
science, and led to modern cryptography.
Shannon also sought security against the attacker with unlimited
logical and observational powers, expressed through
the maxim that ”the enemy knows the system”. This view
is still endorsed in cryptography. The popular formulation,
going back to Kerckhoffs [24], is that ”there is no security by
obscurity”, meaning that the algorithms cannot be kept obscured
from the attacker, and that security should only rely
upon the secret keys. In fact, modern cryptography goes
even further than Shannon or Kerckhoffs in tacitly assuming
that if there is an algorithm that can break the system,
then the attacker will surely find that algorithm. The attacker
is not viewed as an omnipotent computer any more,
but he is still construed as an omnipotent programmer. The
ongoing hackers’ successes seem to justify this view.
So the Diffie-Hellman step from unlimited to limited computational
powers has not been extended into a step from
unlimited to limited logical or programming powers. Is the
assumption that all feasible algorithms will eventually be
discovered and implemented really different from the assumption
that everything that is computable will eventually
be computed? The present paper explores some ways to refine
the current models of the attacker, and of the defender,
by taking into account their limited logical and programming
powers. If the adaptive attacker actively queries the
system to seek out its vulnerabilities, can the system gain
some security by actively learning attacker’s methods, and
adapting to them?
Item Type:Conference or Workshop Item
Faculty:
Electrical Engineering, Mathematics and Computer Science (EEMCS)
Research Group:
Link to this item:http://purl.utwente.nl/publications/80238
Conference URL:http://www.nspw.org/2011
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page